Enterprise Accounts

Description

GNOME 3.0 introduced a nice control-center panel for managing local user accounts. The user panel currently just shows user accounts found in /etc/passwd (with some additional information stored elsewhere).

It would be good if the panel was aware of centrally managed user accounts that might come from some directory service such as LDAP or AD (Active Directory). One difference in this scenario is that the user accounts will often not be editable at all, and there may be far too many accounts to show them all in the list.

It would also be good if other aspects of user identity, such as Kerberos tickets, were integrated in the control-center, including ticket renewal and domain logon. Some of this functionality is currently provided by the krb5-auth-dialog module.

Although the initial design called for this functionality to be added to the user panel, the current plan is to make secondary Kerberos identities appear in the online-accounts panel. The ticket renewal functionality may either be taken over by a gnome-settings-daemon plugin or by the goa-daemon that already issues notifications about expired online accounts.

Other modules that show user information like the gnome-shell user menu may need small adjustments too.

A related goal is to make GNOME machines very easy to enroll in AD domains and allow users to log on to such domains using their AD user id. This will require changes in the login screen (gnome-shell, gdm) and the new gnome-initial-setup tool.

Current Status

The Kerberos support will add a krb5-libs dependency to gnome-control-center and gnome-settings-daemon, but it will be optional, with a --disable-kerberos configure option. The AD enrollment makes use of a new D-Bus service, called realmd, which is currently under development. This will be an optional runtime dependency.